What a shame! I've wrote, that using journalctl(1) command I can check
a microcode updates etc., but I'm wrong, right? All these
kernel:microcode informations; about CPU0/1, sig and so on are not
something, that will tell me if a microcode package is installed.

I think, that if I will install an 'intel-microcode' (it's valid in my
case) the result about microcode, gathered e.g. via dmesg(1) will be
significantly different, from these mentioned in my previous message.
So, it will, probably, looks this way:

Note: I've changed 'sig=' and 'revision=' values. As we can see, there
are some informations about "Spectre_V2" mitigations etc. But, it's
just an example of how everything will be looks like after
'intel-microcode' package installation. So, 'journalctl -k | grep
microcode' command result (see my previous message) is not sufficient
without 'intel-microcode' package, right?

I'm sorry for my naive and pretty stupid questions.

Thank, best regards.
_________________

By the way: where is the best place to write about an application
(available in 16.04 LTS) that is missing a few CVE security fixes:
CVE-2017-*? (Mostly, it's about Heap-based buffer overflow, Out of
bounds read, Stack-based buffer over-read etc.) I'm asking, because
this application has been updated with security patches even in 14.04
LTS, Bionic version is also corrected etc. Should it be a Maintainer
or this mailing list is okay?

Note that the intel-microcode package that we published on 22 January 2018
reverted to Intel's version 20170707, after consulting with Intel. This
version of the microcode does not have any mitigations for Meltdown or
Spectre v1 or Spectre v2.

At this point we're waiting on our partners for more information.

This issue won't go away quickly.

> By the way: where is the best place to write about an application
> (available in 16.04 LTS) that is missing a few CVE security fixes:
> CVE-2017-*? (Mostly, it's about Heap-based buffer overflow, Out of
> bounds read, Stack-based buffer over-read etc.) I'm asking, because
> this application has been updated with security patches even in 14.04
> LTS, Bionic version is also corrected etc. Should it be a Maintainer
> or this mailing list is okay?

This mail list, or IRC (#ubuntu-hardened on irc.freenode.net), both
work. Which package and CVEs are you curious about?

Note that packages in universe are community supported. The answer might
be as simple as "because no one has given us fixes yet".